[ [0x70] Features ] Webhooks System

Webhooks System

> Production-grade webhook system with 22 event types, HMAC-SHA256 signature verification, and automatic retry with exponential backoff.

Overview

[ [0x70] STATUS ]

The webhooks system allows your application to send HTTP callbacks to external services when specific events occur. This is essential for integrating with third-party services, triggering external workflows, and keeping systems in sync.

Features

[ [0x01] 22_EVENT_TYP ]

STATUS: READY

DESC: User, payment, organization, and system events

[ [0x02] HMAC_SHA256_ ]

STATUS: READY

DESC: Secure signature verification for all deliveries

[ [0x03] AUTOMATIC_RE ]

STATUS: READY

DESC: Exponential backoff with configurable retry limits

[ [0x04] DELIVERY_TRA ]

STATUS: READY

DESC: Full history of webhook deliveries and responses

Usage

[ [0x63] CREATING WEBHOOKS ]

1// API Route: POST /api/v1/webhooks
2import { auth } from "@/lib/auth";
3import { prisma } from "@/lib/db";
4import { generateWebhookSecret } from "@/lib/webhooks/server";
5
6export async function POST(req: Request) {
7  const session = await auth();
8  if (!session?.user) {
9    return Response.json({ error: "Unauthorized" }, { status: 401 });
10  }
11
12  const { url, events, description } = await req.json();
13
14  // Generate a unique secret for this webhook
15  const secret = generateWebhookSecret();
16
17  const webhook = await prisma.webhook.create({
18    data: {
19      url,
20      events,
21      description,
22      secret,
23      userId: session.user.id,
24      isActive: true,
25    },
26  });
27
28  return Response.json({
29    id: webhook.id,
30    url: webhook.url,
31    events: webhook.events,
32    secret: webhook.secret, // Show once on creation
33  });
34}

[ [0x02] SENDING WEBHOOKS ]

Trigger webhook deliveries from your application

1// src/lib/webhooks/server.ts
2import crypto from "crypto";
3import { prisma } from "@/lib/db";
4
5export async function sendWebhook(
6  event: string,
7  payload: Record<string, any>,
8  userId?: string
9) {
10  // Find all active webhooks subscribed to this event
11  const webhooks = await prisma.webhook.findMany({
12    where: {
13      isActive: true,
14      events: { has: event },
15      ...(userId && { userId }),
16    },
17  });
18
19  for (const webhook of webhooks) {
20    await deliverWebhook(webhook, event, payload);
21  }
22}
23
24async function deliverWebhook(webhook, event, payload) {
25  const body = JSON.stringify({
26    event,
27    payload,
28    timestamp: new Date().toISOString(),
29  });
30
31  // Generate HMAC signature
32  const signature = crypto
33    .createHmac("sha256", webhook.secret)
34    .update(body)
35    .digest("hex");
36
37  const response = await fetch(webhook.url, {
38    method: "POST",
39    headers: {
40      "Content-Type": "application/json",
41      "X-Webhook-Signature": signature,
42      "X-Webhook-Event": event,
43    },
44    body,
45  });
46
47  // Log delivery
48  await prisma.webhookDelivery.create({
49    data: {
50      webhookId: webhook.id,
51      event,
52      payload,
53      statusCode: response.status,
54      success: response.ok,
55    },
56  });
57}
58
59// Usage
60await sendWebhook("user.created", {
61  id: user.id,
62  email: user.email,
63  name: user.name,
64});

[ [0x44] VERIFYING WEBHOOKS (RECEIVER SIDE) ]

When receiving webhooks, always verify the signature

1// In your webhook receiver endpoint
2import crypto from "crypto";
3
4export async function POST(req: Request) {
5  const body = await req.text();
6  const signature = req.headers.get("X-Webhook-Signature");
7  const event = req.headers.get("X-Webhook-Event");
8
9  // Your webhook secret (stored securely)
10  const secret = process.env.WEBHOOK_SECRET!;
11
12  // Verify signature using timing-safe comparison
13  const expectedSignature = crypto
14    .createHmac("sha256", secret)
15    .update(body)
16    .digest("hex");
17
18  const isValid = crypto.timingSafeEquals(
19    Buffer.from(signature || ""),
20    Buffer.from(expectedSignature)
21  );
22
23  if (!isValid) {
24    return Response.json({ error: "Invalid signature" }, { status: 401 });
25  }
26
27  // Process the webhook
28  const data = JSON.parse(body);
29  console.log(`Received ${event}:`, data.payload);
30
31  return Response.json({ received: true });
32}

[ [0xA6] RETRY LOGIC ]

Failed webhooks are automatically retried with exponential backoff

1// Retry configuration
2const RETRY_CONFIG = {
3  maxRetries: 5,
4  initialDelay: 60,    // 1 minute
5  maxDelay: 3600,      // 1 hour
6  backoffMultiplier: 2,
7};
8
9// Retry delays: 1min, 2min, 4min, 8min, 16min
10
11async function queueWebhookRetry(
12  webhookId: string,
13  event: string,
14  payload: Record<string, any>,
15  attempt: number = 1
16) {
17  if (attempt > RETRY_CONFIG.maxRetries) {
18    // Mark webhook as failed after max retries
19    await prisma.webhookDelivery.update({
20      where: { id: deliveryId },
21      data: { status: "FAILED" },
22    });
23    return;
24  }
25
26  const delay = Math.min(
27    RETRY_CONFIG.initialDelay * Math.pow(RETRY_CONFIG.backoffMultiplier, attempt - 1),
28    RETRY_CONFIG.maxDelay
29  );
30
31  // Schedule retry (using your job queue)
32  await scheduleJob("webhook:retry", {
33    webhookId,
34    event,
35    payload,
36    attempt: attempt + 1,
37  }, { delay: delay * 1000 });
38}

Event Types

[ [0x33] EVENT TYPES ]

Available webhook event types organized by category:

User Events

• user.created
• user.updated
• user.deleted
• user.email verified

Payment Events

• payment.completed
• payment.failed
• subscription.created
• subscription.cancelled

Organization Events

• organization.created
• organization.updated
• member.invited
• member.joined
• member.removed

System Events

• webhook.test
• api key.created
• api key.revoked

Security Best Practices

[ [0x1C] SECURITY BEST PRACTICES ]

├─ Always verify signatures: Use HMAC-SHA256 with timing-safe comparison
├─ Use HTTPS only: Never send webhooks to HTTP endpoints
├─ Rotate secrets: Allow users to regenerate webhook secrets
├─ Validate payloads: Sanitize and validate all webhook payloads
├─ Set timeouts: Use short timeouts (5-10s) for webhook deliveries
└─ Log everything: Track all deliveries for debugging and audit

Features

[ [0x01] 22_EVENT_TYP ]

STATUS: READY

DESC: User, payment, organization, and system events

[ [0x02] HMAC_SHA256_ ]

STATUS: READY

DESC: Secure signature verification for all deliveries

[ [0x03] AUTOMATIC_RE ]

STATUS: READY

DESC: Exponential backoff with configurable retry limits

[ [0x04] DELIVERY_TRA ]

STATUS: READY

DESC: Full history of webhook deliveries and responses

Usage

[ [0x63] CREATING WEBHOOKS ]

1// API Route: POST /api/v1/webhooks
2import { auth } from "@/lib/auth";
3import { prisma } from "@/lib/db";
4import { generateWebhookSecret } from "@/lib/webhooks/server";
5
6export async function POST(req: Request) {
7  const session = await auth();
8  if (!session?.user) {
9    return Response.json({ error: "Unauthorized" }, { status: 401 });
10  }
11
12  const { url, events, description } = await req.json();
13
14  // Generate a unique secret for this webhook
15  const secret = generateWebhookSecret();
16
17  const webhook = await prisma.webhook.create({
18    data: {
19      url,
20      events,
21      description,
22      secret,
23      userId: session.user.id,
24      isActive: true,
25    },
26  });
27
28  return Response.json({
29    id: webhook.id,
30    url: webhook.url,
31    events: webhook.events,
32    secret: webhook.secret, // Show once on creation
33  });
34}

[ [0x02] SENDING WEBHOOKS ]

Trigger webhook deliveries from your application

1// src/lib/webhooks/server.ts
2import crypto from "crypto";
3import { prisma } from "@/lib/db";
4
5export async function sendWebhook(
6  event: string,
7  payload: Record<string, any>,
8  userId?: string
9) {
10  // Find all active webhooks subscribed to this event
11  const webhooks = await prisma.webhook.findMany({
12    where: {
13      isActive: true,
14      events: { has: event },
15      ...(userId && { userId }),
16    },
17  });
18
19  for (const webhook of webhooks) {
20    await deliverWebhook(webhook, event, payload);
21  }
22}
23
24async function deliverWebhook(webhook, event, payload) {
25  const body = JSON.stringify({
26    event,
27    payload,
28    timestamp: new Date().toISOString(),
29  });
30
31  // Generate HMAC signature
32  const signature = crypto
33    .createHmac("sha256", webhook.secret)
34    .update(body)
35    .digest("hex");
36
37  const response = await fetch(webhook.url, {
38    method: "POST",
39    headers: {
40      "Content-Type": "application/json",
41      "X-Webhook-Signature": signature,
42      "X-Webhook-Event": event,
43    },
44    body,
45  });
46
47  // Log delivery
48  await prisma.webhookDelivery.create({
49    data: {
50      webhookId: webhook.id,
51      event,
52      payload,
53      statusCode: response.status,
54      success: response.ok,
55    },
56  });
57}
58
59// Usage
60await sendWebhook("user.created", {
61  id: user.id,
62  email: user.email,
63  name: user.name,
64});

[ [0x44] VERIFYING WEBHOOKS (RECEIVER SIDE) ]

When receiving webhooks, always verify the signature

1// In your webhook receiver endpoint
2import crypto from "crypto";
3
4export async function POST(req: Request) {
5  const body = await req.text();
6  const signature = req.headers.get("X-Webhook-Signature");
7  const event = req.headers.get("X-Webhook-Event");
8
9  // Your webhook secret (stored securely)
10  const secret = process.env.WEBHOOK_SECRET!;
11
12  // Verify signature using timing-safe comparison
13  const expectedSignature = crypto
14    .createHmac("sha256", secret)
15    .update(body)
16    .digest("hex");
17
18  const isValid = crypto.timingSafeEquals(
19    Buffer.from(signature || ""),
20    Buffer.from(expectedSignature)
21  );
22
23  if (!isValid) {
24    return Response.json({ error: "Invalid signature" }, { status: 401 });
25  }
26
27  // Process the webhook
28  const data = JSON.parse(body);
29  console.log(`Received ${event}:`, data.payload);
30
31  return Response.json({ received: true });
32}

[ [0xA6] RETRY LOGIC ]

Failed webhooks are automatically retried with exponential backoff

1// Retry configuration
2const RETRY_CONFIG = {
3  maxRetries: 5,
4  initialDelay: 60,    // 1 minute
5  maxDelay: 3600,      // 1 hour
6  backoffMultiplier: 2,
7};
8
9// Retry delays: 1min, 2min, 4min, 8min, 16min
10
11async function queueWebhookRetry(
12  webhookId: string,
13  event: string,
14  payload: Record<string, any>,
15  attempt: number = 1
16) {
17  if (attempt > RETRY_CONFIG.maxRetries) {
18    // Mark webhook as failed after max retries
19    await prisma.webhookDelivery.update({
20      where: { id: deliveryId },
21      data: { status: "FAILED" },
22    });
23    return;
24  }
25
26  const delay = Math.min(
27    RETRY_CONFIG.initialDelay * Math.pow(RETRY_CONFIG.backoffMultiplier, attempt - 1),
28    RETRY_CONFIG.maxDelay
29  );
30
31  // Schedule retry (using your job queue)
32  await scheduleJob("webhook:retry", {
33    webhookId,
34    event,
35    payload,
36    attempt: attempt + 1,
37  }, { delay: delay * 1000 });
38}

Event Types

[ [0x33] EVENT TYPES ]

Available webhook event types organized by category:

User Events

• user.created
• user.updated
• user.deleted
• user.email verified

Payment Events

• payment.completed
• payment.failed
• subscription.created
• subscription.cancelled

Organization Events

• organization.created
• organization.updated
• member.invited
• member.joined
• member.removed

System Events

• webhook.test
• api key.created
• api key.revoked

Security Best Practices

[ [0x1C] SECURITY BEST PRACTICES ]

├─ Always verify signatures: Use HMAC-SHA256 with timing-safe comparison
├─ Use HTTPS only: Never send webhooks to HTTP endpoints
├─ Rotate secrets: Allow users to regenerate webhook secrets
├─ Validate payloads: Sanitize and validate all webhook payloads
├─ Set timeouts: Use short timeouts (5-10s) for webhook deliveries
└─ Log everything: Track all deliveries for debugging and audit